Author
Topic: Some basic and advanced questions.. (Read 3195 times)

I've been using 2.0 for sometime now and I'm very happy with this Firewall!

I do have some questions that I'm hoping that you guys can help me with.

1) I am not running any dns server in my network because I find this somewhat overkill for a home network. Pfsense is used as a DHCP server and the dns is also set to the gateway pfsense ip. I believe pfsense automaticaly uses the WAN dns setting from my Cable modem as the primary DNS.

This works perfectly for browsing the net and connecting to other windows machine by hostname. Somehow windows machines can find each other by hostname/dns, but my other non windows machines fail to work with hostnames. For example my apache2 webserver on ubuntu cannot be reached by http://webserver01. The work around I have right now is manualy editing my host file on this pc.. but this is obviously not a very neat solution. Can you guys tell me if it is possible to configure pfsense to use a select list of ip / hostnames (hosts file?) and if not found --> reroute to the dns of my modem?

My goal would be to be able to reach all my servers/clients by hostname without editing host files on the machines etc. I could live with the fact that I have to manualy edit a host file on the pfsense machine so I wouldn't have to install/configure a dns server on the pfsense. But adding other ip's and hostnames to the pfsense hosts file does not seem to work (even after a ipconfig flush on the clients).

Anyboy have any idea's on how I could set this up or get this working without setting u a complete dns package/server?

2) Is it possible to add a mac address source entry for a firewall rule? To make sure only my laptop and iphone can reach my IP-Cam? Right now I have it set to a specific port : myexternalip:portnumber which makes it harder to find this web-based ip-cam but I still find it somewhat scary that people can logon to it if they do a portscan of guess the portnumber . I would rather block it entirerly, but I would still like to be able to use my Iphone and view the camera when not at home. Would it be possible to set up macaddress rule to allow only traffic from that device?

the mac address of your iphone does not get broadcastet over the complete internet, it just gets broadcastet to the next router which is your UTMS provider or smth like that.

simple put up an authentication page infront of your webcam and use a good password

1) I forgot to mention that I tried the dns forwarder option.. but this only works with domain names. I want to be able to use http://webserver01 instead of http://webserver.home.local (the last option does work with the dns forwarder btw)

2) I can't modify the webpage software on this ip cam device.. so not much I can do

well for 2nd, if you have your webserver running all the time, you can setup a proxy-host in apache with an authentication page, which after successfull auth on the apache redirects you to your web-cam

the mac address of your iphone does not get broadcastet over the complete internet, it just gets broadcastet to the next router which is your UTMS provider or smth like that.

simple put up an authentication page infront of your webcam and use a good password

1) I forgot to mention that I tried the dns forwarder option.. but this only works with domain names. I want to be able to use http://webserver01 instead of http://webserver.home.local (the last option does work with the dns forwarder btw)

2) I can't modify the webpage software on this ip cam device.. so not much I can do

1) DNS forwarder is sufficient for this. I use https://fw/ without a problem to connect to firewall and http://srv/ to my webserver.

Windows machines work because of netbios broadcasting/spamming the network looking for a response.

Under your DHCP settings on pfsense, make sure it is issuing itself as the DNS server to clients. Check your windows/apache boxes to make sure the DNS listed is the pfsense IP address. I use the DHCP forwarding service and I have no problems with using hostname alone.

Alternatively, you can also set static DNS entries under the DNS forwarder options. (Also required your computers are set to use the pfsense as the DNS server)

MACs can be spoofed just as easily. Like a previous posted mentioned you can put some sort of authentication on the apache server. If you're accessing it from your iphone or other wireless device, maybe just allow a speific subnet. (4.5.0.0/24 or w/e the CIDR range is for something like that, I never got that down pat) How many AT&T iphones are port-scanning and hacking lol? This will at least reduce the odds considerably.

Windows machines work because of netbios broadcasting/spamming the network looking for a response.

Under your DHCP settings on pfsense, make sure it is issuing itself as the DNS server to clients. Check your windows/apache boxes to make sure the DNS listed is the pfsense IP address. I use the DHCP forwarding service and I have no problems with using hostname alone.

Alternatively, you can also set static DNS entries under the DNS forwarder options. (Also required your computers are set to use the pfsense as the DNS server)

MACs can be spoofed just as easily. Like a previous posted mentioned you can put some sort of authentication on the apache server. If you're accessing it from your iphone or other wireless device, maybe just allow a speific subnet. (4.5.0.0/24 or w/e the CIDR range is for something like that, I never got that down pat) How many AT&T iphones are port-scanning and hacking lol? This will at least reduce the odds considerably.

Yeah I figured it was netbios spamming. Dhcp --> the dns ip are blank so it will use it's default pfsense gateway ip.

Authentication on another server is pretty pointless I think because I would have to make a nat entry to the apache server and then forward them to the webcam:ip page. If people were to guess the ip:port combo they could skip the apache page . I might aswel leave the apache nat entry out of the picture and just use the ip:port combo and hope they don't scan it

1. The DNS forwarder works for me. I have pfSense set to send itself as the DNS entry in DHCP, and then it relays the DNS query out to whatever DNS provider I choose. You can leave it set to your ISPs server or use OpenDNS, as I do. Make sure you check the box that adds your DHCP leases to the DNS server. I forget whether it's in the DHCP or DNS screen.

2. Why not set up a VPN? Then you don't need to enable any outside access, and you can do a lot of other neat things with it as well.

1) I have the DHCP register in DNS checked, DNS forwarder enabled, made a static entry and still no go. On my own pc I have even set the dns server manualy in the adapter settings window.

2) VPN is not really an option when you want to quickly check the camera, or the webmail when on a different network, internet cafe, hotel etc. In my opinion VPN is more of a risk because you physicaly connect both networks.. I rather have one NAT entry mapped and the rest closed.

To get that working, you have to enable the dns-forwarder and have both options "Register DHCP..." enabled. The dns-forwarder acts as a small dns-server, which will fullfile all requests inside your homenet.

Now you get your webserver via http://webserver01.local at your net. If you now enter at the DHCP-settings-page under "Search domain list" "local" (without the ""), then you will find your webserver via http://webserver01.

Hope that will answer your questions. No host-file-hacking necessary.Good luck!